Data protection damages and tax evader CD

Data protection tax evader CD

Does the authority have to respect data protection with the tax evader CD?

Imagine the following fictitious case: German authorities purchase a CD containing personal data of actual and/or alleged tax evaders.

The seller is, for example, a bank employee who has stored personal bank data from the bank's systems without authorization and then offered this data pool for sale to the tax authorities. On the basis of this data, criminal tax proceedings are later initiated and tax arrears are assessed. Under data protection law, the collection, processing and use of personal data is only permitted within the framework of a strict purpose limitation (Section 28 BDSG).

The transmission and use of such data for another purpose is also permitted in principle for the prosecution of criminal offenses. However, criminal prosecution is subject to formal proceedings. Therefore, formal investigation proceedings are usually initiated if there is an initial suspicion.

This was not the case for the data subjects in the data pool. Therefore, the purchase of the data was not part of a specific investigation procedure and the transfer and use of the data would be inadmissible. However, the unlawful collection or use of personal data makes the responsible body liable for damages (Section 7 BDSG).

This means that all financial losses suffered by the data subject - in this case the bank customer - as a result of the unauthorized data collection, processing or use are compensable damages. If several parties, such as the bank or bank employees, have acted unlawfully, they are jointly and severally liable. In this respect, the question arises as to whether affected tax evaders can make the tax authorities, for example, liable for damages as the purchaser of the data CD, because fiscal interests are not a reason under Section 28 (3) BDSG to lift the strict purpose limitation of the acquired bank data.

In addition to any procedural costs and fines, it may even be necessary to examine the possibility of compensation for damages, as provided for in various state data protection laws. Data subjects and consultants will not ignore the data protection aspects when defending against claims or justifying recourse. Companies take appropriate measures to protect themselves against data theft at an early stage and are aware of the risk of data misuse by employees. Some companies keep databases that could be of interest to third parties and whose sale could be a great temptation for employees. Even in the event of data theft, a company must expect claims from those affected if security measures have not been taken against this.

Share this post :